yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1736021] Re: default SESSION_ENGINE is still signed_cookies

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <1736021@xxxxxxxxxxxxxxxxxx>
Date: Tue, 12 Feb 2019 21:50:45 -0000
Reply-to: Bug 1736021 <1736021@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Reviewed:  https://review.openstack.org/630790
Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=a98468bef6b1bd8b3e762d4e22c8b83d27a8aa6a
Submitter: Zuul
Branch:    master

commit a98468bef6b1bd8b3e762d4e22c8b83d27a8aa6a
Author: Akihiro Motoki <amotoki@xxxxxxxxx>
Date:   Tue Jan 15 07:42:06 2019 +0900

    Change the default SESSION_ENGINE to use cached sessions
    
    This commit changes the default SESSION_ENGINE to the cached
    sessions and the default cached backend to memcached.
    
    The cached sessions with memcahced is our current recommendation, but
    we do not use it in our default settings and do not test it in our CI
    (horizon-dsvm-tempest-plugin). It is better to use the recommended
    configurations in our CI.
    The previous default SESSION_ENGINE, the signed cookies, has
    a limitation on the length o cookies and using keystone3 can hit this
    easily. It is not ready for production for most cases.
    
    For a cache backend, considering multi-process web server deployments,
    memcahced is recommended rather than a local memory backend.
    
    Note for developers: If you use "tox -e runserver" for developments,
    SESSION_ENGINE = 'django.contrib.sessions.backends.cache' might not
    work expectedly. From my testing, I was forced to log-in frequently
    when moving pages. If you hit this, my suggestion is to configure
    SESSION_ENGINE to django.contrib.sessions.backends.signed_cookies.
    
    Change-Id: I1c4578ec5a7f70a59c6348d76ad0c12956a18573
    Closes-Bug: #1736021


** Changed in: horizon
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1736021

Title:
  default SESSION_ENGINE is still signed_cookies

Status in OpenStack Dashboard (Horizon):
  Fix Released

Bug description:
  We still use SESSION_ENGINE = 'django.contrib.sessions.backends.signed_cookies' as default.
  There is a limitation on the length of cookies and using keystone v3 can hit this limitation.

  We configure the local memory for session storage
  django.core.cache.backends.locmem.LocMemCache, but according to the
  django documentation [1], this is only effective when
  django.contrib.sessions.backends.cache is used as SESSION_ENGINE.

  I think it is better to switch the default SESSION_ENGINE to
  django.contrib.sessions.backends.cache.

  [1] https://docs.djangoproject.com/en/1.11/topics/http/sessions
  /#configuring-the-session-engine

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1736021/+subscriptions

References

[Bug 1736021] [NEW] default SESSION_ENGINE is still signed_cookies
From: Akihiro Motoki, 2017-12-03